The exploit makes it possible for the bad guys to take over your PC when the victim pulls up a maliciously crafted HTML document. The research advisory issued said, “By convincing a victim to view an HTML document (web page, HTML e-mail, or e-mail attachment) with Apple Safari, an attacker could run arbitrary code with the privileges of the user running the application.”

At issue is a problem with how Safari handles references to Window objects, according to US-CERT. The short version is that Safari can allow a window within the app to be closed while allowing references to that window to persist. Javascript code can then be used to exploit this reference in such a way that allows the bad guys to control your computer.

Apple has not yet released a patch for the hole, but US-CERT said that disabling Javascript could mitigate the exploit. The advisory also emphasized that users not follow unsolicited links (say in spam e-mail), but that a trusted site that had been compromised could still include a hacked Web page that leads to an attack.